I seem to notice that all this garbage is coming in at a rate of 600+ submissions a night (I normally only get a few because it's a small community database) so, 99.9% of the submissions are spam. Talk about crappy odds.. heh

Ok, I added all the different "anti-spam" code snippets from here and there. Lots have been limited but more is still coming in...

I do notice that normal submissions are coming from (Referrer)

Referrer: http://mydomain.com/cgi-bin/add.cgi

but almost all the spam I am getting is being refereed by...

Referrer: http://mydomain.com

(without the /cgi-bin/add.cgi )

Any ideas? Is it possible to set your referrer to a whole path rather then a domain or will that not be feasible?

Let me know your thoughts and you guys keep up the GREAT work. Gotta love a friendly forum.

Make sure that you have set both www.mydomain.com and mydomain.com in the @db_referers array in the links.cfg file, like the following:


Regards,

------------------
Eliot Lee....
* Check Resource Center
* Search Forums

@db_referers = ('www.mydomain.com', 'mydomain.com', "221.223.bleh.bleh);

(So it covers me fine all three ways, but I think you misread my question.)

No, I didn't. I was making you sure that you completely covered your bases. That is all!



In terms of the "whole" domain or just putting /cgi-bin/add.cgi, this will not work, since the whole domain will be parsed by other scripts.

One other suggestion I have is to use the Modify Password Mod (if you are not using it already), which you have to add a Password field into your add form. Then you can add additional checks (like verifying the password). This will dramatically reduce Auto Submissions.

I have this working in my LINKS directory:


Regards,

------------------
Eliot Lee....
* Check Resource Center
* Search Forums



[This message has been edited by AnthroRules (edited February 20, 2000).]

if you want to get ride of spam, change the name of add.cgi on a regular basis. these guys update their software once or twice a year and eventually they will leave you alone

Good suggestion, theguy.

Regards,

------------------
Eliot Lee....
* Check Resource Center
* Search Forums

Yeah, good one.

After almost 2 years I just started getting spam from a ruskie site. Had to set up @db_referers. Hope it works for me too.

Will
Webmaster
FishHoo! Search Index for Fishermen
http://www.fishhoo.com/

After 4+ years of running Links2 I have just started getting what looks like Russian auto-submit spam.

Have made the @db_referers = ('www.mydomain.com','mydomain.com'); amend as recommended.

Fingers crossed it works.

Cakey

Ok, that didn't work.

Any suggestions as to what to do next?

Interestingly, the notifcation I get for their entry, shows a category that doesn't exist !?! Any thoughts?

Thanks

Cakey

I'm sorry to say I'm more than a novice at this and have had everything "professionally installed" for me. Everything was fine until I "denied" submission from a RUSSIAN domain name. Shortly thereafter I'm getting 10-30 Russian (and others) based submissions.

I tried simply changing the name of add.cgi to addsitehere.cgi via my FTP program but realized in my Links Manager interface that I'd also have to physically edit that text in EVERY Template. Seemed like a LOT of work and hoping something is easier.

Also, any way to DENY all site submissions from a given extension? For example, deny ALL submissions which end in *.ru ?

Finally, none of these SPAM submissions "choose" a particular category. They select the top category which is no category at all. Can I somehow require a category selection, thereby not allowing a non-category (denoted with a "-" line) selection?

Thanks a lot!

You might try this: http://www.gossamer-threads.com/...i?post=276589#276589

It's a mod that requires a person to enter the randomly-generated number sequence in order to submit a link.


Leonard
aka PerlFlunkie

Well, that mod I linked requires SHA, which is depracated in favor of Digest::SHA. I have tried to get it to work using the new standard, but no luck so far. So, as a spam-stopper, I suggest using an add-confirm page; after adding a link and hitting the submit button, another step is required by hitting the submit button on an add-confirm page which shows what will be submitted. Following are instructions based on a mod found here. I changed it some...


Add this sub to site html templates.pl:


sub site_html_confirm_add {
# --------------------------------------------------------
# This routine is used to display what an add-confirm page should look
# like.

&html_print_headers;

print &load_template ('add_confirm.html', {
%in,
%globals
});
}


Create a template called add_confirm.html, containing something like the following:

<p>
<form action= "add.cgi" method="post">
Please verify the following is what you want to submit. If there are any errors, use your 'Back' button to make changes:<br />
Title: <%Title%><input type="hidden" name="Title" value="<%Title%>" /><br />
URL: <%URL%><input type="hidden" name="URL" value="<%URL%>" /><br />
Category: <%Category%><input type="hidden" name="Category" value="<%Category%>" /><br />
Description: <%Description%><input type="hidden" name="Description" value="<%Description%>" /><br />
Contact Name: <%Contact Name%><input type="hidden" name="Contact Name" value="<%Contact Name%>" /><br />
Contact Email: <%Contact Email%><input type="hidden" name="Contact Email" value="<%Contact Email%>" /><br />
<input type="submit" name="add" value="Confirm Details">
</form>
</p>


In add.cgi replace:


# We are processing the form.
if (keys %in != 0) {
&process_form;
}

with:

# We are processing the form.
if (keys %in != 0) {
$in{'add'}? &process_form : &site_html_confirm_add;
}


You will need to modify the template to match your site layout and your input fields.



I think this will work, but I did not test it. Add this to add.cgi:

sub process_form {
# --------------------------------------------------------
my ($key, $status, $line, $output);

# Let's require a category selection
if ($in{'Category'} = "---") {
&site_html_add_failure ("You did not select a category.");
return;
}

# Check the referer.



This can be done with an .htaccess file. A search of the web will turn up lots of info on the specifics.


Leonard
aka PerlFlunkie

I am also getting the .ru spammers! I have made the @db_referers = ('www.mydomain.com','mydomain.com'), and also used the .htaccess file to deny specific extensions.

...still getting the spammers...

my referer says they're coming from http://www.mydomain.com/cgi-local/links/add.cgi

Any ideas?
/Jim

Are they getting through the Add Confirm mod? You can try adding the code below to your add.cgi:

# We are processing the form.
if (keys %in != 0 && $in{'code-word'}) {
$in{'add'}? &process_form : &site_html_confirm_add;
}

If you are NOT using the Add Confirm mod, use this code:

# We are processing the form.
if (keys %in != 0 && $in{'code-word'}) {
&process_form;
}

Then add this to your add.html and add_error.html and add_confirm.html templates:

<input type="hidden" name="code-word">
<input type="submit" name="add" value="Add Resource">

You can change the "code-word" to whatever you want, just be sure to keep it the same in each place: add.cgi, add.html, add_error.html, and add_confirm.html.

What this will do is keep the form from being processed (added) if it does not include the hidden input, which will only be a part of the forms generated on your site.

I did not test this, and it is a hack (quick-fix), but it may work for you...


Leonard
aka PerlFlunkie

PerlFlunkie - I'm trying the Add Confirm mod, but when I add the "Category check" routine, and test using Category = " - " ...

sub process_form {
# --------------------------------------------------------
my ($key, $status, $line, $output);

# Let's require a category selection
if ($in{'Category'} = "---") {
&site_html_add_failure ("You did not select a category.");
return;
}

# Check the referer.

I get a message...

"Unkown Tag: Category"

...any idea what i'm doing wrong?
/Jim

Did you get the Add Confirm mod working OK by itself?
Is the error showing up on the Add Confirm page, or on the Add Error page?

Two other things to try, first change this line to a null value:

# Let's require a category selection
if ($in{'Category'} = "") {

If that does not work, try this bit in place of what I posted earlier:

# Let's require a category selection
if ($in{'Category'} = "---") {
&site_html_add_failure ("You did not select a category.") and return;
}


Leonard
aka PerlFlunkie

The Add Confirm mod works great by itself.
I tried if ($in{'Category'} = "") {

and i get the same result (if no category selected) of blank page message = "Unknown Tag: Category". This is same message received with other code. Interestingly, if I select a valid Category, the proper category shows up on the Confirm Add page, but when I submit to go to next operations, i get a message on the Add Error page that says "You did not select a category", and the Category shows as "" or "---".

I also tried the alternate code...
# Let's require a category selection
if ($in{'Category'} = "---") {
&site_html_add_failure ("You did not select a category.") and return;
}

but got same results as above. (it's not reading the category variable correctly?)
/Jim

It seems that the category entry has caused problems with other mods, too, requiring a bit of "special" coding. When you are testing these, always look at the View Source for the page, and you will see just what information is being passed. Example, since the Add Confirm page works, look at the source for it, and see what is showing up in the hidden input field for Category. (Do this before making the following changes.) Is there an entry, or is it empty?

Maybe it's waiting for the 'else statement'?

Add this right after the 'if' statement:

else {
$category = $in{'Category'};
}

If that does not fix it, try this more complicated bit...

Perhaps the sub for the Add Confirm should be changed to this:

--

sub site_html_confirm_add {
# --------------------------------------------------------
# This routine is used to display what an add-confirm page should look
# like.

$cat = qq|$in{'Category'}<input type="hidden" name="Category" value="$in{'Category'}">~;

&html_print_headers;

print &load_template ('add_confirm.html', {
Cat => $cat,
%in,
%globals
});
}

--

And change the Add Confirm template to this:

Category: <%Cat%><br />



Leonard
aka PerlFlunkie

sorry, i think i've got too many edits to my code now...

so what should the revised routine for ...

sub process_form {
# --------------------------------------------------------

look like complete now?
/Jim

sub process_form {
# --------------------------------------------------------
my ($key, $status, $line, $output);

# Let's require a category selection
if ($in{'Category'} = "") {
&site_html_add_failure ("You did not select a category.");
return;
}
else {
$category = $in{'Category'};
}

Your original problem:



I just did a test on a clean install of Links2, and if I select "-" or no category, then submit, I get this comment on the error page:

--

There were the following errors trying to add your resource:

Category (Can not be left blank)

--

So, the code above should not be required, since the unaltered code requires a category selection. Remove or comment out the above code in your file, and try to add a link through the add page, without selecting a category, and let me know what happens.

Sometimes I forget to check the simple things first, and also how well the original script was written.


Leonard
aka PerlFlunkie

I took out the sub process_form {

code, but left in the other add.cgi mod's...(ie: not a "CLEAN" add.cgi copy)

i still get the Unkown Tag: Category message.
/Jim

Need to see your code to do much more... You can attach (not paste) them here, send them to me via PM, or send me FTP info for your site.

site_html_templates.pl
add.cgi
add_confirm.html (template)


Leonard
aka PerlFlunkie

thanks....appreciate your help. i thought it was working well....but chokes if category = "-"

site_html_templates.pl
add.cgi
add_confirm.html (template)

attached.
/Jim

This has been a real challenge!
Getting Links to remember everything during the Add Confirm process requires a bit of changing in add.cgi. This may not be the best way to do it, but it seems to work, even the error pages!

In add.cgi:

sub main {
# --------------------------------------------------------
local (%in) = &parse_form;
# We are processing the form.
if ((keys %in != 0) && ($in{'do'} eq 'confirm')) {
&process_form;
}
elsif ((keys %in != 0) && ($in{'do'} eq 'add')) {
&process_form_2;
}
# Otherwise we are displaying the form (in site_html.pl).
else {
if ($db_single_category) {
my %is_valid = map { $_ => 1 } &category_list;
$ENV{'HTTP_REFERER'} =~ s,/[^/]+\.[^/]+$,,;
$ENV{'HTTP_REFERER'} =~ m,$build_root_url/(.+?)/?$,;
$is_valid{$1} ? &site_html_add_form ($1) : &site_html_add_form ();
}
else {
&site_html_add_form ();
}
}
}
sub process_form {
# --------------------------------------------------------
my ($key, $status, $line, $output);
# Check the referer.
if (@db_referers and $ENV{'HTTP_REFERER'}) {
$found = 0;
foreach (@db_referers) {
$ENV{'HTTP_REFERER'} =~ /$_/i and $found++ and last;
}
if (!$found) {
&site_html_add_failure ("Auto submission is not allowed in this directory. Please visit the site to add your entry.");
return;
}
}
# This will set system fields like Validated to their proper values.
foreach $key (keys %add_system_fields) {
$in{$key} = $add_system_fields{$key};
}

# Set date variable to today's date.
$in{$db_cols[$db_modified]} = &get_date;

open (ID, "<$db_links_id_file_name") or &cgierr("error in process_form. unable to open id file: $db_links_id_file_name. Reason: $!");
$in{$db_key} = <ID> + 1; # Get next ID number
close ID;
# Validate the form input..
$status = &validate_record(%in);
if ($status eq "ok") {
# Update the counter.
open (ID, ">$db_links_id_file_name") or &cgierr("error in get_defaults. unable to open id file: $db_links_id_file_name. Reason: $!");
flock(ID, 2) unless (!$db_use_flock);
print ID $in{$db_key}; # update counter.
close ID; # automatically removes file lock
# Send the visitor to the add confirm page.
&site_html_confirm_add;
}
else {
&site_html_add_failure($status);
}
}
sub process_form_2 {
# --------------------------------------------------------
my ($key, $status, $line, $output);

# This will set system fields like Validated to their proper values.
foreach $key (keys %add_system_fields) {
$in{$key} = $add_system_fields{$key};
}

# Set date variable to today's date.
$in{$db_cols[$db_modified]} = &get_date;

# Print out the validate input to a "validation database" where it is stored until
# the admin decides to add it into the real database.
open (VAL, ">>$db_valid_name") or &cgierr("error in add_record. unable to open validate file: $db_valid_name. Reason: $!");
flock(VAL, 2) unless (!$db_use_flock);
print VAL &join_encode(%in);
close VAL; # automatically removes file lock
# Send the admin an email message notifying of new addition.
&send_email;
# Send the visitor to the success page.
&site_html_add_success;
}

I split the sub in two, which is the key to keeping the submitted info in memory. The second sub takes the info and processes it as an addition to the validate database, and sends the email.

This is the sub in site_html_templates.pl:

sub site_html_confirm_add {
# --------------------------------------------------------
# This routine is used to display what an add-confirm page should look like.

&html_print_headers;
print &load_template ('add_confirm.html', {
Category => $in{'Category'},
%in,
%globals
});
}

Then add this to add.html, just before the submit button code:

<input type="hidden" name="do" value="confirm" />

This goes in add_confirm.html and in add_error.html:

<input type="hidden" name="ID" value="<%ID%>" />
<input type="hidden" name="do" value="add" />

That should do it!


Leonard
aka PerlFlunkie